• Welcome to Support Forum: Get Support for Patch My PC Products and Services.
 

Changes to Code Signing

Started by korebreach, June 25, 2021, 08:59:31 AM

Previous topic - Next topic

korebreach

We are in the situation where we have an "all purposes" certificate, rather than a "code signing" certificate as our WSUS cert.  This cert is placed in the appropriate stores and was specified for use by PMPC (signing the detection script, etc.).  We knew from articles on these forums that this wasn't going to work, as PMPC requires a true "code signing" certificate.  Because our SCCM environment client settings are configured for "bypass" on PowerShell scripts, this wasn't a problem.  Detection script signing would fail, but it wouldn't matter.  The only evidence of the failures was that our PMPC reports would show, "An error occurred while signing the file, but there is no error message to display."  The report would show that the application creation failed, but it was still present in SCCM.  It just didn't have the detection script signed.

We knew that we needed to get around to fixing this, especially since we are doing initial steps into Intune, and at that point, the detection script signing would be necessary.

However... on June 16th, PMPC released an update to the publishing service, which was installed automatically during a sync.  The release notes show that some functionality was added to re-sign updates, as well as an option to do a registry key related to signing with Powershell vs. .NET.  None of this seems quite applicable to our situation (using an all-purposes certificate), but for some reason, even without setting any registry key, the signing seems to now be working.  No errors in the publishing logs.  No errors in the reports. 

Looking at the publishing logs, I see:

Creating PowerShell detection script.   Worker   6 (0x0006)
Signing C:\Program Files\Patch My PC\Patch My PC Publishing Service\Detection Method Scripts\VLC Media Player 3.0.16 (EXE-x64).ps1 with the code signing certificate [Thumbprint=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX][Store=LocalMachine\WSUS]   CertManager   6 (0x0006)
Signing with Windows native method...   CertManager   6 (0x0006)

So, it appears that the detection scripts are now getting signed.  Is this just a happy undocumented extra bonus?

Andrew Jimenez (Patch My PC)

You are correct. Our new native code signing method is much less picky in terms of certificate usage.

korebreach